Credit Services Association 
Response to ICO call for views on 
updating the data sharing code of 
practice 


voice of the collections industry 


1. Credit Services Association - overview 


1.1 The Credit Services Association (CSA) is the only national trade association in the UK for 
organisations active in the debt collection and purchase industry. The CSA, which has a 
history dating back to 1906, has around 300 member companies which represent 90% of the 
industry, and employ 11,000 people. The membership also comprises specialist tracing 
agencies, in-house collection departments of large banks and utility companies, accountancy 
firms, law firms and all three major credit reference agencies. 


1.2 The clients of CSA members include major financial institutions (such as banks and building 
societies), credit grantors, government departments and local authorities, utility companies 
and mail order businesses. 


1.3 At any one time, the CSA’s members hold up to £60 billion for collection, returning nearly £3 
billion in collections to the UK per annum. As the voice of the collections industry, our vision 
is to build confidence in debt collection by making the entire process clear, easy to 
understand and less stressful for all those involved. Further information on the CSA can be 


found at: http://www.csa-uk.com. 


1.4 The functions performed by CSA members are vital to the operation of the various sectors in 
which they operate. Unpaid debts cause damage to lenders / suppliers and to borrowers by 
adding costs to the system which result in higher prices for credit or goods/services. Serious 
problems with unpaid debt may also lead to restrictions in the availability of credit, 
particularly to consumers who may otherwise find it difficult to obtain cost-effective credit 
and therefore have a detrimental impact in the overall growth of the economy. 


2. Feedback 


2.1 The ICO’s current Code of Practice around data sharing is an incredibly useful tool and 
provides a lot of helpful information for firms. However, as the Code is updated to reflect the 
changes in data protection law, we would welcome additional clarity in several areas. 


2.2 We have outlined the specific areas where we would appreciate ICO guidance below; 
however, it is also clear that the Code will need substantial updates (or entirely new sections) 
in the following areas: 


e Data subject rights — particularly right of access, right to be informed and right to 
data portability. In terms of the right to data portability, we would welcome some 
clarity around how this applies across different sectors and whether it is primarily 
focused on utilities / services and changing providers. 

e Changes to processor-controller agreements, including requirements and 
responsibilities 

e Data Protection Officers — their responsibilities around data sharing; what firms 
without a DPO should do. 

e Modern technology and working practices — changes in the ways people work and 
the technology they use are one of the driving factors behind the change to data 
protection law, so this will need to be reflected in the Code of Practice e.g. working 
from home; flexible working; Bring Your Own Device. 
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2.3 The ICO has already produced guidance on these areas in different publications, so should be 
well-placed to incorporate and expand upon existing guidance in the Code. 


2.4 Looking more specifically at the changes to legislation and the practices of our members, the 
following areas may benefit from the additional clarity or guidance that a Code of Practice 
can provide. 


Ad-hoc / one-off data sharing 


2.5 The current Code of Practice provides some example scenarios around data sharing and what 
constitutes best practice. In relation to ad-hoc and one-off data sharing, we find that one 
particular scenario can prove challenging for our members and supporting guidance from the 
ICO may help address the concerns and ensure a more flexible, customer-friendly approach. 


2.6 CSA members will sometimes be contacted by a third party who needs to discuss the 
customer’s account. For example, the customer may have had a medical emergency and be 
in serious ill health, or the customer may be serving in the armed forces and the third party is 
responsible for their mail. Unfortunately, if the customer has not provided, or is unable to 
provide, authority for the third party to act on their behalf, CSA members are unable to 
discuss matters with the third party. 


2.7 In the absence of discussion, either with the customer or with a legitimately authorised third 
party, there could be negative consequences for the customer. The creditor may add further 
fees and charges or may decide to pursue legal action. 


2.8 Given those potential consequences, we believe there are grounds in some instances to 
share information with a third party so that appropriate steps can be taken to help the 
customer — for example, advising the debt amount in order to take payment from a third 
party; explaining the status of the account and any information required if the customer is in 
ill health. 


2.9 This flexibility would ensure that those involved in recovering debts can respond to the 
different circumstances of their customers and ensure better outcomes for those customers. 


2.10 Of course, there should be sensible measures in place around disclosure to third parties and 
companies should implement suitable controls before disclosure. The disclosure outlined 
above should be on a case-by-case basis and any decision to disclose clearly documented, 
including the justification for that decision. 


2.11 We would imagine that there are other financial services firms beyond our members who 
encounter similar circumstances, where ad-hoc or one-off data sharing would improve 


customer outcomes and is a reasonable and appropriate approach. 


2.12 We would therefore welcome clarity from the ICO that in circumstances such as those 
described here, it may be appropriate to share data without the data subject’s authority. 
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Right to be informed - exemptions 


2.13 The current Code of Practice clarifies the exemptions that exist in UK law in relation to data 
sharing without the individual’s knowledge. 


2.14 The Data Protection Act 2018 retains exemptions to data subject rights in certain contexts 
(e.g. sharing for the purposes of recovering taxes and duties; sharing for the purposes of 
preventing fraud) and we would encourage the ICO to retain this clarity in any updated Code 
of Practice. 


2.15 We believe the Code of Practice should provide clarity on the exemptions for the recovery of 
government debts and the prevention of fraud, money laundering and terrorist financing. 


Human rights 


2.16 Whilst the current Code of Practice already includes reference to human rights, it would be 
helpful for the ICO to provide additional guidance on the rights, outside of those granted by 
data protection legislation, that firms need to consider when ensuring their data processing 
takes account of the “rights and freedoms” of data subjects. 


Privacy notices 


2.17 Although there is no set template for providing the information required by Articles 13 and 
14 of the GDPR, this Code of Practice provides an opportunity for the ICO to guide firms on 
the most appropriate way(s) to communicate information about data sharing, for example 
identifying recipient and / or categories of recipients of personal data within privacy notices. 


Data sharing post-Brexit / post-Privacy Shield 


2.18 We believe that it is essential the Code provides some examples of best practice for cross- 
border data sharing once the UK leaves the European Union, and the measures that firms 
should be taking now to prepare in the meantime. 


2.19 At this point in time, it is unclear what safeguards are available to firms, especially in the case 
of a ‘no deal’ Brexit. Although standard contractual clauses exist in relation to previous data 
protection legislation, there is not presently a set of GDPR-compliant standard contractual 
clauses. We would appreciate clarity from the ICO on the validity of using the existing 
standard contractual clauses, in the absence of any revisions or updates for GDPR. 


2.20 Whilst we understand the situation is subject to change as the government negotiates the 
exit from the European Union, we believe there should, at a minimum, be guidance for firms 
on any steps they can take to prepare now, particularly in relation to any existing 
international data transfers. The ICO’s Code of Practice should also outline what measures 
firms can take in the worst case scenario of the UK leaving without a deal. 


2.21 If this is not suitable for the Code of Practice, the ICO should consider releasing separate 
guidance on the UK’s exit from the European Union to ensure UK firms are adequately 
prepared and understand all the options available to safeguard customer data and ensure 
compliance with the GDPR and Data Protection Act 2018. 
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2.22 Similarly, there are concerns about the stability of the EU-US Privacy Shield agreement, with 
it being subject to legal challenges. We would therefore welcome guidance on how firms 
should prepare should the Privacy Shield fall apart and how data transfers would continue. 
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